Almost everywhere, being a CISO means dealing with limited budgets, competing priorities, tools that don’t quite fit the problem and myriad other constraints. Most security leaders adapt, and work within those boundaries to protect their organizations as best they can. But for a few, adaptation and making do with what’s available isn’t enough. The limitations are not just a problem to get around, but an opportunity to build something new.
The motivations for making the jump can vary. For some it is closing security gaps they’ve battled for years, for others it’s about escaping corporate inertia, or proving that security can drive business value. What unites them is the desire to create rather than just defend. Paul Hadjy, Joe Silva, Chris Pierson, and Michael Coates are four security leaders who made that transition. Here’s what they built and what they learned in the process.
Paul Hadjy
Paul Hadjy: The chaos of being a founder was worth it
Back in 2016, when Paul Hadjy was working in Asia as a senior security leader, he noticed few vendors were focused on cloud security. Much like the early days in the US, governments and enterprises were hesitant to embrace the cloud. “I had been working in Asia for a couple of years when I joined a company that, like many others, was struggling to find vendors and solutions to address their public cloud security needs,” he recalls. “There were very few products or service providers focused on this area, and I saw a major opportunity to build a company dedicated to solving that problem,” who previously served in security roles at Grab in Singapore, Palantir Technologies and Arete Associates.
That opportunity became Horangi, a cloud security company Hadjy founded to fix frustrations he carried as a CISO. “As a senior security leader, it was often difficult to secure the resources and executive support needed to address pressing challenges,” he says. “When I started my own company, I wanted to ensure that security would never be treated as an afterthought.”
From the outset, Hadjy made security a core part of Horangi’s culture. Everyone shared responsibility, and every individual was treated as a potential target. Security, he emphasized, wasn’t only about protection, it was also about building customer trust. “In many businesses, security is still not viewed as a sales enabler, which was a constant frustration for me,” Hadjy says. At Horangi, he flipped that thinking and grounded the business in the belief that visible, robust security practices could create the trust needed to drive revenue. “We recognized early that demonstrating strong security practices builds trust, especially with enterprise customers. Protecting both company and customer data provides confidence and ultimately becomes a competitive advantage.”
Lessons learned from a CISO building a cloud security business
The transition from CISO to founder required a new mindset. The toughest mental shift wasn’t about technology or markets. Rather, it was about ruthless prioritization. Limited resources forced constant trade-offs, and Horangi often had to invent its own ways to overcome them. In 2016, with SaaS still emerging, the company for instance had to rely on its own platform and custom processes, built by its engineering and services teams, to secure its environment. “That experience reinforced the importance of adaptability and innovation when building from the ground up.”
There were moments as an entrepreneur when things looked bleak, Hadjy concedes. And more than once, Horangi nearly ran out of money, with runway shrinking to just a couple of months. Those experiences forced painful cost cuts while fundraising under pressure. “Resilience and the ability to build pain tolerance through lessons learned ultimately pushed us forward,” he says. “Those moments tested us, but they also taught us how to stay disciplined and focused under pressure.”
Vindication came in 2023 when Bitdefender acquired Horangi. Hadjy found in Bitdefender a “security-first” culture that confirmed his belief that trust built through security could become a business differentiator.
Looking back, Hadjy admits the early chaos of launching a startup while stressful and isolating was also deeply rewarding. Still, he says, at times being a CISO felt even more challenging than being a founder. “Everyone has an opinion…The difficulty is that while they might be right at a project level, they often don’t have the full picture at the company level,” he says. The founder journey taught him to navigate competing perspectives, make tough calls, and stay focused on the bigger picture. “The journey was filled with challenges, but it also gave me invaluable lessons and the chance to work with incredible people,” Hadjy says. “While it wasn’t easy, the experience was transformative, and for me, the chaos of being a founder was absolutely worth it.”
Joe Silva
Joe Silva: Breaking the Groundhog Day cycle
For Joe Silva, the decision to transition from cyber defense to company building wasn’t sparked by a single defining moment. Rather it stemmed from his experience of being a CISO at different organizations and constantly having to deal with the same issue and challenges again and again. The same dissonance, across organizations, between the vulnerability posture that leadership wanted and what they were willing to pay to achieve it.
“There was no one specific incident,” recalls Silva of his decision to launch vulnerability management firm Spektion. “But it was definitely prompted by a “Groundhog Day” feeling.” It was that sense of déjà vu, that having to endlessly balance risk posture against cost that sparked the desire to try a new path, says Silva whose previous roles included being CISO at JLL and Transunion.
Silva’s frustrations as a CISO weren’t just philosophical, they were structural. Too often, Silva recalls, CISOs had to push vulnerability management onto their peers in technology because they don’t have the tools at their disposal to manage the risk directly.
Launched in 2024, Spektion provides a cloud-based runtime vulnerability management platform that helps organizations spot and prioritize software risk, especially in third-party and software supply-chain components. “Spektion’s focus on a better way to proactively manage vulnerability risk was certainly shaped by my experiences, both in dealing with third-party software related breaches and providing security leaders with more agency to manage vulnerability risk,” Silva says. “We saw the opportunity to make managing vulnerability risk less of a political challenge and more of an engineering challenge.”
It’s a market segment that Silva acknowledges some might perceive as “legacy” and “unsexy”. Startups tend to pursue flashy, future-facing problems while ignoring persistent, real-world ones, like software vulnerability management that security leaders and teams have to grapple with daily, he says.
Right from the outset, Silva made sure that accountability was a core part of Spektion’s culture and operations. Many early employees came from enterprise security backgrounds, where they had observed firsthand how a lack of clear accountability often prevented organizations from achieving their desired cybersecurity goals. “As a leader, every action you take shapes the culture and you need to be conscious of that without acting with artifice.”
Alongside accountability, Silva instilled another principle he had lived by as a CISO: “If you’re getting incrementally better, you are losing. You cannot keep up, let alone gain ground, vis-à-vis cyber threats,” he says. “If you allow yourself to be satisfied with just making some progress day over day, you’re overall falling behind.”
The freedom of starting a business
Moving from defending an organization to building one demanded a completely different mindset. “When you join a company, there’s an existing culture,” he explains. “When you start a company, you aren’t stepping into a culture, and you can’t just materialize one from thin air.” Every decision, every hire, every action you take needs to help shape the culture.
Founding a company also unlocked some unexpected freedoms. Among the biggest was the ability to do things without self-censoring or worrying about what you might have to break, he notes. “When you start a company anew, you need to constantly remind yourself that you can just do things…it’s incredibly liberating.”
Silva doesn’t completely rule out returning to being a CISO someday. But for now, he is enjoying his new role thoroughly. “Being a founder and CEO, while by no means easy, is the best job I ever had,” Silva says. “I feel like we are on offense everyday planning, building, and delivering solutions. I can’t imagine going back to playing defense right now.”
Chris Pierson
Chris Pierson: Protecting digital lives beyond the firewall
Chris Pierson’s goal when launching BlackCloak in 2018 was to close a gap he’d seen widen between the protections companies invested in and the near-total lack of security around the personal lives of their top executives. Attackers, he noticed, were no longer stopping at corporate firewalls. They were increasingly going after high-value executives, board members, and venture capitalists in their personal lives. Motivations included financial theft, reputational attacks, intellectual property theft, and often using a compromised home device or network to ride back into the corporate environment.
“For over a decade before starting BlackCloak, I had seen cybercriminals and nation states attack high-value targets in their personal lives,” says Pierson, a former Royal Bank of Scotland chief privacy officer and two-time fintech CISO. Adversaries had recognized that breaching a heavily defended corporate network was far more difficult than targeting executives through their poorly protected home environments. But while the threat was startlingly clear, the tools for addressing it were fragmented: a VPN here, an identity theft monitoring service there. “Nothing was built to go head-to-head with these threat actors,” Pierson recalls.
That realization became the spark for BlackCloak, a company that offers a suite of digital executive protection services for leaders and their families. Its services include online privacy protection, personal device security, home network security, and rapid incident response to mitigate threats like cyberattacks, identity theft, and financial fraud.
Pierson’s approach to building BlackCloak drew on a career that was anything but linear. “Over the years I’ve had many roles, from a programmer to cybersecurity and privacy law expert, a chief privacy officer, general counsel, chief information security officer, and more,” he says. “Along the way I developed a theme of trying to help the good guys defeat the bad guys, nation states, and cybercriminals.” Whether responding to data breaches, implementing privacy control frameworks, anti-money laundering controls, identity theft red flag rules, or cybersecurity programs, everything fit a common theme: preventing harm. It was the combination of these disparate experiences that Pierson leveraged when building and leading his team at BlackCloak.
One principle that Pierson has focused on embedding into BlackCloak’s culture is designing programs that fit the business. Another is the understanding that privacy and security cannot be separated. Privacy is so foundational at BlackCloak that three of its nine executives hold IAPP certifications, with some certified for nearly two decades. “Privacy is at our core,” Pierson says. “Saying you love privacy or it’s a core tenet is different than showing that it always has been a north star.”
The things he learned he enjoyed
Transitioning from CISO to CEO required adjustment. As a security and privacy leader, Pierson relished day-to-day collaboration and problem-solving. “It was incredibly fulfilling to dig into building the right controls with input from product, engineering, and others,” he says. “I really relished the ability to over-communicate what we were doing, why we were doing it, and set up the communication lines ahead of time.” Seeing projects he led sail through assurance and due diligence reviews was especially rewarding because it validated the effort behind them.
There’s less of that now. The smaller, invitation-only events he once attended with peers are off-limits, and program-building is less hands-on. “As a CEO of a cybersecurity company I sometimes miss some of those larger projects and program building activities,” he says. His focus now is to “continue to channel the voice of the CISO in what my team and I are doing.”
Michael Coates
Michael Coates: From Twitter CISO to Venture Capitalist
During his four years as chief information security officer at Twitter between 2014 and 2018, Michael Coates became deeply immersed in San Francisco’s startup ecosystem. His role gave him a front-row seat to the rapidly evolving security landscape and exposed him to both the promise and the vulnerabilities of modern technology. It was this perspective that eventually sparked a desire to build something of his own.
The technology space Coates settled on addressed a pressing gap. At the time, organizations were increasingly adopting cloud collaboration platforms such as Google Drive and Box, often without considering the risks of inadvertent data exposure. Enterprises had little visibility into what employees were sharing, with whom, or whether sensitive documents were accidentally exposed to unauthorized users. From his vantage point at Twitter, Coates saw that companies lacked effective ways to monitor file-sharing activity, enforce proper access controls, or detect when confidential data was accidentally made public. What organizations needed, he realized, was a platform that could provide real-time visibility into document sharing, security permissions, and sensitive data exposure.
In 2018, Coates left Twitter to launch Altitude Networks. The company built a platform that connected directly to cloud collaboration tools via their APIs, scanning and analyzing every document, sharing permission, and security control in real time. The technology could instantly flag when sensitive data was being shared inappropriately and surface potential security issues before they escalated into breaches. It was the start of what would become the cloud security posture management (CSPM) market. “There was a gap in the market, and I knew it was the right problem to solve at the right time,” Coates says of his decision to focus on cloud security.
His instincts proved correct. Early traction came quickly: the Democratic National Committee (DNC) signed on as a customer, followed by major movie studios, cryptocurrency firms, and healthcare companies. These early wins validated that Altitude’s technology was addressing a critical problem for CISOs. “What we built wasn’t just a nice-to-have feature,” Coates notes. “It helped CISOs distinguish between the critical risks that needed attention and the things that could wait.”
The challenges of transitioning from CISO to CEO and a new business
The transition from CISO to startup CEO brought new challenges. “As a CISO, the focus is comprehensive coverage. As a founder, you face constant trade-offs — go deeper in one area or cover more ground?” Coates tells. As an example, early on, his team wrestled with a fundamental decision over which cloud collaboration platform to support first. Should they start with the platform they knew best or the one with the largest potential user base? While faster adoption was tempting, the real priority was to build a scalable, robust solution that could grow effectively over time.
Coates’ CISO background shaped not only his approach to security but also the culture he built at Altitude. “Being a CISO made us less bombastic, less prone to exaggeration,” he reflects. “Our culture was grounded in truth, not embellishment.” The company was SOC 2 compliant from day one. Developers received secure code training immediately. The architecture was designed from the start with users in mind.
In 2022, Altitude was acquired by CoinList. Coates stayed on through the transition, and later launched SevenHill Ventures, a venture fund built on insights from his experience as both a founder and a CISO. The fund focuses on helping entrepreneurs navigate the challenges of building venture-backed companies, providing practical guidance and operational support. His first fund returned 2.5 times the capital invested to its partners.
Reflecting on the emotional reality of entrepreneurship, Coates is candid. “One day everything is amazing, you’re on top of the world. The next day you’re not, and nothing has actually changed.” A founder’s reality is waking at 4 a.m. worrying about payroll, legal issues, and being the chief problem solver, he says wryly. CISOs considering the leap would do well to leverage their current position to prepare, to rekindle relationships with peers, and have early conversations with potential customers and investors.
“Your background gives you an edge, but stepping into a startup is a completely different world. You have to leverage what you know and build new relationships fast,” Coates says. But in the end, the effort is worth it. “Innovation is messy and imperfect, but it’s the minds taking leaps that make the impossible possible.”